CVE-2026-22240

The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blusparkglobal.com/bluvoyix/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:blusparkglobal:bluvoyix:-:*:*:*:*:*:*:*

History

02 Feb 2026, 15:50

Type	Values Removed	Values Added
First Time		Blusparkglobal bluvoyix Blusparkglobal
CPE		cpe:2.3:a:blusparkglobal:bluvoyix:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://blusparkglobal.com/bluvoyix/ -~~	() https://blusparkglobal.com/bluvoyix/ - Product

14 Jan 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-14 15:16

Updated : 2026-02-02 15:50

NVD link : CVE-2026-22240

Mitre link : CVE-2026-22240

CVE.ORG link : CVE-2026-22240

JSON object : View

Products Affected

blusparkglobal

bluvoyix

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-312

Cleartext Storage of Sensitive Information

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-22240", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-14T15:16:05.413", "references": [{"url": "https://blusparkglobal.com/bluvoyix/", "tags": ["Product"], "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-522"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password."}], "lastModified": "2026-02-02T15:50:22.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blusparkglobal:bluvoyix:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84FDD5FA-DB87-4263-A7F2-C136D7F4155C"}], "operator": "OR"}]}], "sourceIdentifier": "56a186b1-7f5e-4314-ba38-38d5499fccfd"}